iCompaas Support

Profile Applicability
 • Level 1

Description
 Ensure the database engine receives regular updates and patches to mitigate known vulnerabilities and strengthen overall security posture.

Rationale
 Staying updated with the latest patches helps protect systems against vulnerabilities that could be exploited. Regular updates reduce the risk of a security breach due to outdated software components.

Impact
 Pros:
 • Mitigates security vulnerabilities.
 • Helps maintain system stability and performance.

Cons:
 • May require scheduled downtime during maintenance.
 • Potential for patch incompatibilities if not tested first.

Default Value
 By default, automatic updates are not always enabled for all database services. Manual intervention or configuration is typically required.

Pre-requisites
 • Access to AWS Console or CLI.
• IAM permissions to modify database configuration.
 • Knowledge of database engine version compatibility.

Remediation

Test Plan

1. Log in to the AWS Console.
   
   

2. Navigate to the target database service (RDS, DocumentDB, Timestream, etc.).
   
   

3. Verify if the latest engine version is installed and minor updates are applied.
   
   

4. Check the maintenance schedule for patching windows.
   
   

Implementation Plan

Using AWS Console

1. Sign in to the AWS Management Console.
   
   

2. Navigate to the database service (e.g., RDS, DocumentDB, Timestream).
   
   

3. Select the database instance or cluster.
   
   

4. Go to the Maintenance section.
   
   

5. Enable Auto Minor Version Upgrade if applicable.
   
   

6. Schedule a maintenance window if required.
   
   

7. Save the configuration.
   
   

Using AWS CLI

1. List DB instances:
   

    aws rds describe-db-instances

   
   

2. Modify instance to enable auto-upgrade:
    

   aws rds modify-db-instance --db-instance-identifier <db-instance-id> --auto-minor-version-upgrade

   
   

3. To apply pending maintenance manually:
    

   aws rds apply-pending-maintenance-action --resource-identifier <arn> --apply-action system-update --opt-in-type immediate

   
   

4. Monitor update status:
   

    aws rds describe-events --source-identifier <db-instance-id> --source-type db-instance

   
   

Backout Plan

Using AWS Console

1. Navigate to the database service.
   
   

2. Select the instance or cluster.
   
   

3. Modify settings to disable Auto Minor Version Upgrade.
   
   

4. Remove any applied maintenance actions if reversible.
   
   

5. Save changes.
   
   

Using AWS CLI

1. Disable auto-upgrade:

    aws rds modify-db-instance --db-instance-identifier <db-instance-id> --no-auto-minor-version-upgrade

   
   

2. Cancel any pending maintenance (if applicable):
   No direct CLI for canceling already applied updates; manual rollback might be needed through restore points or snapshots.
   
   

References

1. AWS Databases
   
   

CIS Controls Mapping
 CIS v8
 • 7 - Continuous Vulnerability Management

CIS v7
 • 3 - Continuous Vulnerability Management